How to distinguish WinRM legitimate requests from rogue ones?

  networking, security, windows, winrm, wireshark

I have a WinRM setup in a domain environment using Kerberos authentication. I recently performed a routine network capture with WireShark and I was surprised to see some WinRM POST requests (on port 5985) originating from a server where no end-user has initiated such request. On both the source and target server WinRM is activated:

xxx 2021-xx-xx xx:xx:xx,xxxxxx  <source ip> <dest ip>   HTTP    1385    5985    POST /wsman HTTP/1.1 
xxx 2021-xx-xx xx:xx:xx,xxxxxx  <source ip> <dest ip>   HTTP    800     5985    POST /wsman HTTP/1.1  (application/http-kerberos-session-encrypted)

On the server initiating those calls to WinRM, the event log" Windows/Windows Remote Management/Operationnal" show a bunch of WinRM operations initiated under various legitimate users sessions, but who haven’t issued any Powershell remoting/WinRM commands which I find a bit odd.

Source: Windows Remote Management
Event id: 6, 8, 10, 11,13,15, 16, 33, 91, 132, 145, 254 

Those events are WSMan API initialization, WSMan API calls, session termination, responses management, etc.

Is there some kind of legitimate traffic routinely initiated by WinRM architecture outside user initiated actions like executing Powershell remoting commands or running explicit API calls from third party libraries/application like Pywinrm?

I haven’t seen any mention of this during my research so far, so how to distinguish WinRM legitimate requests from rogue ones in this context?

Source: Windows Questions

LEAVE A COMMENT